Sherman's Security Blog
I am Sherman Hand. (also known as Policysup) I have created this blog and will use a part of my day to write about what is going on in the world. I hope to discuss things in a down to earth and practical way. I hope to hear back from you on your thoughts. I do not in any way intend to speak for my employer. The content of this blog will be either opinions that are strictly mine, general observations,re posts, or information that is already in the public domain.

The latest news is that approximately 6 million Facebook users had their email addresses or telephone numbers inappropriately shared.

Bad enough, you might think, but when you dig down into how the breach occurred you realize that the users may *never* have uploaded those email addresses and contact numbers to Facebook themselves.

Pardon me for being cynical, but it seems somewhat convenient that Facebook releases the news on Friday afternoon Pacific Time when many reporters are either looking forward to a weekend away from their keyboards, or are already shutting down their computers or are even tucked up in bed.

If I was in charge of Facebook’s crisis communications team, I might also counsel that the best way to minimize fall-out from the announcement you don’t really want to make is to release it at precisely the same time – when America’s East coast reporters have left the office for the weekend, and Europe is already asleep.

The hope would be that by Monday, when the media settles down for another working week, the story will already seem stale. Facebook is saying all the right things in an attempt to dampen any flames, saying (and I believe them) that it has seen “no evidence that the “bug” has been exploited maliciously”.

It doesn’t do the company any harm either, of course, if they give the embarrassing announcement a dull title like “Important Message from Facebook’s White Hat Program”, rather than using words like “Privacy Breach” or “Sorry, we screwed up”.

It’s called damage limitation. For the Facebook brand, at least. It’s not called doing your level best to get the issue reported to as wide an audience as possible.

It’s not the first time that Facebook has made an announcement of a privacy/security snafu at the best possible time of the week, PR-wise.

For instance, at a near identical time on another Friday (February 15, 2013) earlier this year, the social network announced that malware breached its developers’ systems, exploiting a zero-day Java exploit.

Two announcements that no company ever really wants to make. Both released at the same time of day, at the same time of the week, to minimise damage to the social network’s reputation.

Hats off to Facebook’s PR team. They’re earning their money.

In all likelihood, they’ll be proving their worth to the company again. After all, Facebook’s internal mantra is “Move fast and break things”.